Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBahL-0002VI-5L for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:29:59 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.213.177 as permitted sender) client-ip=209.85.213.177; envelope-from=gmaxwell@gmail.com; helo=mail-ig0-f177.google.com; Received: from mail-ig0-f177.google.com ([209.85.213.177]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XBahK-0006Ry-0Y for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:29:59 +0000 Received: by mail-ig0-f177.google.com with SMTP id hn18so3057746igb.4 for ; Sun, 27 Jul 2014 19:29:52 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.42.174.2 with SMTP id t2mr39360213icz.23.1406514592707; Sun, 27 Jul 2014 19:29:52 -0700 (PDT) Received: by 10.107.14.67 with HTTP; Sun, 27 Jul 2014 19:29:52 -0700 (PDT) In-Reply-To: References: Date: Sun, 27 Jul 2014 19:29:52 -0700 Message-ID: From: Gregory Maxwell To: Jeremy Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1XBahK-0006Ry-0Y Cc: Bitcoin Dev , alex@stamos.org Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 02:29:59 -0000 On Sun, Jul 27, 2014 at 7:12 PM, Jeremy wrote: > Hey, > > There is a potential network exploit going on. In the last three days, a > node (unnamed) came online and is now processing the most traffic out of = any > tor node -- and it is mostly plaintext Bitcoin traffic. > > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5= 162395f610ae42930124 > > Alex Stamos (cc'ed) and I have been discussing on twitter what this could > mean, wanted to raise it to the attention of this group for discussion. > > What we know so far: > > - Only port 8333 is open > - The node has been up for 3 days, and is doing a lot of bandwidth, mostl= y > plaintext Bitcoin traffic How do you know what traffic it's actually doing. > - This is probably pretty expensive to run? Alex suggests that the most > expensive server at the company hosting is 299=E2=82=AC/mo with 50TB of t= raffic I'm confused as to how its doing anything at all, as it doesn't have the exit flag. (IIRC, Tor directories won't give you the exit flag unless you exit 80/443 to a pretty substantial chunk of IPv4 space). Because of this no normal tor node should be selecting it as an exit. Could this just be lying about its traffic levels?